b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n      PC MALL GOV, INCORPORATED\n               CONTRACT\n\n\n       July 2012    A-14-11-01133\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n   \xef\x82\xa6 Conduct and supervise independent and objective audits and\n       investigations relating to agency programs and operations.\n   \xef\x82\xa6   Promote economy, effectiveness, and efficiency within the agency.\n   \xef\x82\xa6   Prevent and detect fraud, waste, and abuse in agency programs and\n       operations.\n   \xef\x82\xa6   Review and make recommendations regarding existing and proposed\n       legislation and regulations relating to agency programs and operations.\n   \xef\x82\xa6   Keep the agency head and the Congress fully and currently informed of\n       problems in agency programs and operations.\n\n   To ensure objectivity, the IG Act empowers the IG with:\n\n   \xef\x82\xa6 Independence to determine what reviews to perform.\n   \xef\x82\xa6 Access to all information necessary for the reviews.\n   \xef\x82\xa6 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                            SOCIAL SECURITY\nMEMORANDUM\n\nDate:      July 31, 2012                                                        Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   The Social Security Administration\xe2\x80\x99s PC Mall Gov, Incorporated, Contract\n           (A-14-11-01133)\n\n\n           OBJECTIVE\n           Our objectives were to (1) ensure the Social Security Administration (SSA) received the\n           goods and services for which it contracted and (2) review the services provided by PC\n           Mall Gov, Incorporated, (PCMG) and the related costs charged to the Agency for\n           adherence to the negotiated contract terms and applicable regulations.\n\n           BACKGROUND\n           Since 1990, SSA has been upgrading its Storage Tek Tape and Automated Cartridge\n           System equipment through various contracts and purchase orders. SSA contracted\n           with PCMG to update or replace its aging Powderhorn 9310 Tape Silo Infrastructure\n           with newer SL8500 Tape Libraries, Virtual Storage Managers, state-of-the-art tape\n           drives, and related equipment and media.\n\n           SSA uses the PCMG firm-fixed-price 1 delivery order 2 contract, with a base year and\n           four 1-year options, to acquire tape storage hardware, software, and related equipment\n           as well as installation, maintenance, upgrades, and nation-wide relocation services. 3\n           The\n\n\n           1\n            The President\xe2\x80\x99s Council on Integrity & Efficiency, Advisory and Assistance Services: A Practical\n           Reference Guide, December 2000, page 5, defines a firm-fixed-price contract as one in which the\n           contractor agrees to perform the entire job for a pre-determined price. In January 2009, the President\xe2\x80\x99s\n           Council on Integrity and Efficiency was superseded by the Council of the Inspectors General on Integrity\n           and Efficiency. See Inspector General Reform Act of 2008, Pub. L. No. 110-409 \xc2\xa7 7, 5 U.S.C. App. 3 \xc2\xa7\n           11.\n           2\n            SSA issued delivery orders in the form of contract modifications to request the number of goods and\n           services it needed from the contract price list.\n           3\n               SSA contract SS00-07-31209, issued September 28, 2007.\n\x0cPage 2 - The Commissioner\n\n\nperiod of performance is September 28, 2007 to September 27, 2012. As of\nSeptember 30, 2011, SSA had authorized 42 contract modifications and obligated\n$74.18 million.\n\nWe examined the contract and associated invoices. We interviewed staff in SSA\xe2\x80\x99s\nOffices of Budget, Finance and Management; Human Resources; and Systems. We\nalso contacted Headquarters and field office staff regarding the equipment purchased\nand installed. See Appendix B for additional scope and methodology and Appendix C\nfor our sampling methodology.\n\nRESULTS OF REVIEW\nBased on our analysis of contract invoices, equipment inventory, and contractor\nemployees\xe2\x80\x99 background information, we determined that SSA received the goods and\nservices for which it contracted and was generally satisfied with PCMG\xe2\x80\x99s work. The\ncosts billed to SSA generally adhered to the negotiated contract terms and applicable\ncontract guidelines. Nothing came to our attention to indicate that SSA did not comply\nwith applicable regulations.\n\nWe found that SSA had implemented controls and practices to help ensure PCMG\nadhered to the contract terms based on our review of the contract and interviews with\nthe contract team, including the Contracting Officer\xe2\x80\x99s Technical Representative\n(COTR), 4 contracting officer (CO), and accounts payable staff. We found that the\nCOTR reviewed and certified invoices timely, which helped SSA\xe2\x80\x99s Office of Finance\n(OF) comply with Federal law and regulation. 5 Moreover, the CO negotiated several\ndiscounts with PCMG that saved SSA $12.8 million.\n\nWe identified four areas where the Agency could improve its administrative oversight\nand monitoring of the contract. Although these conditions did not materially affect\nSSA\xe2\x80\x99s ability to properly manage and oversee the PCMG contract, we are bringing\nthese conditions to your attention to help you improve your contract management and\noversight processes. Specifically, we found SSA did not\n\n\xe2\x80\xa2   record its capital equipment 6 as personal property assets in the General Ledger\n    (GL);\n\n\n4\n  The President\xe2\x80\x99s Council on Integrity & Efficiency, Advisory and Assistance Services: A Practical\nReference Guide, December 2000, page 4 defines a COTR as an individual designated and authorized,\nin writing, by the CO to perform specific technical functions.\n5\n  \xe2\x80\x9cIn 1982, Congress enacted the Prompt Payment Act (\xe2\x80\x98\xe2\x80\x98Act\xe2\x80\x99\xe2\x80\x99; Pub. L. 97\xe2\x80\x93177) to require Federal\nagencies to pay their bills on a timely basis, to pay interest penalties when payments are made late, and\nto take discounts only when payments are made by the discount date. The Act, as amended, is found at\n31 U.S.C. Chapter 39\xe2\x80\x9d 64 Fed. Reg. 52580 (September 29, 1999).\n6\n AIMS, \xc2\xa7 04.01.03 defines capitalized property as \xe2\x80\x9c. . . personal property that has an acquisition value of\n$100,000 or more and is recorded in the SSA General Ledger Accounts.\xe2\x80\x9d\n\x0cPage 3 - The Commissioner\n\n\n\xe2\x80\xa2     record PCMG purchases in a property inventory management system;\n\xe2\x80\xa2     comply with its suitability determination 7 policies and procedures; and\n\xe2\x80\xa2     comply with the Federal Information Security Management Act (FISMA) 8\n      requirements for agencies to provide contractors with security awareness training.\n\nSSA DID NOT RECORD ITS CAPITAL EQUIPMENT AS PERSONAL PROPERTY\nASSETS IN THE GL\n\nWe found that during Fiscal Years (FY) 2008 through 2011, SSA ordered and received\n38 items, totaling $14.1 million, with purchase prices ranging from $109,000 to\n$1.8 million but did not record these items in the GL. In addition, we found 12 items, 9\ntotaling $4.1 million, whose aggregate costs exceeded the $100,000 capitalization\nthreshold but were not recorded in the GL.\n\nSSA\xe2\x80\x99s Administrative Instructions Manual System (AIMS), Material Resource Manual\n(MRM) section 04.01, defines property with an aggregate acquisition cost of\n$100,000 or more as capitalized property (assets). 10 SSA recorded 36 of the 38 assets\nas expenses instead of recording them as capitalized assets. Consequently, SSA\nunderstated its personal property amount in the GL by $18 million. During these\n4 years, SSA also overstated its information technology (IT) equipment expense and\nunderstated its IT equipment depreciation.\n\nThe Agency used the SSA Streamlined Acquisition System (SSASy) to order from\nPCMG 50 items whose costs exceeded $100,000. We reviewed the PCMG contract\nand contract modifications 1 through 42 to determine the number of IT equipment items\nordered that exceeded $100,000. To test whether SSA properly recorded purchases\nexceeding $100,000 as personal property assets, we compared contract-ordering data\nto information recorded in the GL. In turn, we reviewed a GL query listing the\naccounting code entries for PCMG purchases that exceeded $100,000. Our analysis\nshowed 38 items whose purchase price exceeded $100,000. However, only 2 of the\n38 items had the asset accounting code. 11 The remainder had the expense accounting\ncode. 12\n\n7\n 5 C.F.R. \xc2\xa7 731.101 Administrative Personnel, defines the suitability determination as a decision by the\nOffice of Personnel Management or an agency with delegated authority that a person is suitable or is not\nsuitable for employment in covered positions in the Federal Government or a specific Federal agency.\n8\n  Federal Information Security Management Act of 2002, Pub. L. No. 107-347, 116 Stat. 2899, Title III\n(2002).\n9\n For these 12 items, none of the purchase prices for the 36 component parts exceeded $100,000, but\nwhen assembled, the total cost was $339,000, each ($339,000 X 12 = $4,068,000).\n10\n   AIMS, \xc2\xa7 04.01.03 defines capitalized property as \xe2\x80\x9cpersonal property that has an acquisition value of\n$100,000 or more and is recorded in the SSA General Ledger Accounts.\xe2\x80\x9d\n11\n   A Subobject Classification Code (SOC) of 3124 represents an asset.\n12\n     A SOC code of 315A or 2574 represents an expense.\n\x0cPage 4 - The Commissioner\n\n\nWe discussed our concerns with Agency representatives. SSA\xe2\x80\x99s OF staff informed us\nthat the GL posts the accounting codes recorded in SSASy. For personal property\nassets to be posted to the GL, employees would need to code the orders in SSASy\nusing an asset accounting code instead of an expense accounting code. SSA staff also\nstated that since the errors were less than 5 years old, the entries could be corrected.\n\nIn its FY 2011 financial statements, SSA reported $139 million in personal property\nassets, but that total did not include the 48 PCMG items totaling $18 million. This\nomission led to a discrepancy of at least 11.5 percent. However, this understatement\ndid not materially affect the Agency\xe2\x80\x99s financial statements for Chief Financial Officers\nAct 13 and Government Accountability Office (GAO)/ President\xe2\x80\x99s Council on Integrity and\nEfficiency (PCIE) 14 reporting purposes. 15\n\nWe recommend that the Agency\n\xe2\x80\xa2     correct accounting codes for the items that should have been capitalized and\n\xe2\x80\xa2     develop controls to prevent similar errors in the future.\n\nFor example, SSA could modify the SSASy-GL interface to display an error message\nwhen the purchase price exceeds the capitalization threshold and the order contains an\naccounting expense code. In addition, SSA could modify the GL system to generate a\nperiodic listing of purchases with accounting expense codes that exceeded the\ncapitalization threshold. In turn, GL staff could then notify the originating component to\ncorrect entries.\n\nAfter our fieldwork ended, OF staff members informed us that OF had instituted controls\nto ensure OF staff records equipment as personal property assets in the GL. OF\ncreated a weekly automated list of the SSASy equipment transactions meeting SSA\xe2\x80\x99s\ncapitalization threshold. OF staff manually reviews contract documents to determine\nwhether the items listed on the query are correctly coded. OF staff reported they had\ncorrected the accounting codes in the GL to capitalize the items identified through the\nPC Mall audit.\n\nSSA DID NOT RECORD PCMG PURCHASES IN A PROPERTY INVENTORY\nMANAGEMENT SYSTEM\n\nThis finding is similar to our previous finding because both involved SSA staff entering\ninformation into an Agency financial or inventory system. However, in the first finding,\nAgency staff made erroneous entries in the GL. For this finding, Agency staff omitted\nthe entry in the Agency\xe2\x80\x99s inventory system.\n\n\n13\n     Chief Financial Officers Act of 1990, Pub. L. No. 101-576 \xc2\xa7 303, 31 U.S.C. \xc2\xa7 3515.\n14\n     GAO/PCIE Financial Audit Manual, Volume 1, Section 230, July 2008.\n15\n     The error-posting threshold for FY 2011 was $151 million.\n\x0cPage 5 - The Commissioner\n\n\nOur review determined that SSA did not record approximately $62 million in equipment\npurchased under SSA contract SS00-07-31209 in any of its inventory management\nsystems. The items were not recorded because Agency staff responsible for entering\nthe data in the appropriate personal property inventory management system did not\nknow SSA\xe2\x80\x99s inventory recording policies. By not having inventory recorded in any of the\nAgency\xe2\x80\x99s inventory management systems, SSA increased its risk of paying for\nmaintenance costs for items that were no longer operational.\n\nSSA\xe2\x80\x99s AIMS, MRM section 04.04 16 lists three personal property asset categories.\n\n\xe2\x80\xa2     Capitalized property 17 is an item with an aggregate acquisition cost of $100,000 or\n      more.\n\xe2\x80\xa2     Accountable property 18 is an end item 19 with an aggregate acquisition value of\n      $3,000 20 to $99,999.\n\xe2\x80\xa2     Sensitive property is an item whose theft, loss, or misplacement could negatively\n      affect SSA\xe2\x80\x99s mission or goal to preserve the public trust regardless of cost. 21\n\nSSA requires that the components owning any of these three types of property account\nfor and record them in SSA\xe2\x80\x99s Sunflower Assets Property System. 22 The custodial\ncomponent should also record this property in its custodial property system. We could\nnot find all the IT equipment related to the PCGM contract in these property systems.\n\nWe reviewed the property management records in SSA\xe2\x80\x99s Sunflower Assets Property\nSystem and the Office of Telecommunications and Systems Operations (OTSO)\ncustodial property records. The Sunflower System extract had 3 items totaling\n$110,000 recorded, and OTSO\xe2\x80\x99s custodial inventory system extract had 1,208 items\n\n\n16\n     AIMS, \xc2\xa7 04.04, Physical Inventory of Personal Property, April 2010.\n17\n  AIMS, \xc2\xa7 04.01.03 defines capitalized property as \xe2\x80\x9c. . . personal property that has an acquisition value of\n$100,000 or more and is recorded in the SSA General Ledger Accounts.\xe2\x80\x9d\n18\n  AIMS, \xc2\xa7 04.01.03 issued in April 2006 defines accountable property as \xe2\x80\x9cThe end item of personal\nproperty with an aggregate acquisition value of $1,000 to $99,999 including property owned, leased or\notherwise under Government control.\xe2\x80\x9d \xe2\x80\x9cAll personal property within the accountable dollar threshold must\nbe recorded in a system to be maintained by the PAO [Property Accountable Officer].\xe2\x80\x9d\n19\n     AIMS \xc2\xa7 04.01.03 defines end item as an item of equipment that is not part of a larger item.\n20\n  When SSA issued the contract on September 28, 2007, the lower dollar threshold for accountable\nproperty was $1,000. However, on April 12, 2010, SSA increased the lower dollar threshold of\naccountable property to $3,000 via AIMS, section 04.04.02.\n21\n     AIMS, MRM, \xc2\xa7 04.04,02 Policy, (April 2010).\n22\n  The Sunflower Assets Property System is a database that the Agency uses to account for sensitive\nproperty that costs less than $3,000 and items of equipment with an acquisition cost greater than $3,000.\nSee generally, SSA, AIMS - MRM, 4.04 (April 12, 2010).\n\x0cPage 6 - The Commissioner\n\n\ntotaling $31.79 million 23 recorded. Additionally, we found that OTSO\xe2\x80\x99s custodial officers\nhad not performed periodic physical inventories and had not performed a physical\ninventory when there was a change in custodial officers.\n\nThe Sunflower staff informed us that it is the owning component\xe2\x80\x99s responsibility (that is,\nOTSO) to enter its accountable property into the Sunflower System. Staff also stated\nthat it had not received any physical inventory reports from OTSO\xe2\x80\x99s custodial officers\nduring the contract period.\n\nDuring the contract period, OTSO created the Hewlett Packard Asset Management\n(HPAM) inventory system. The HPAM staff stated they uploaded the records from\nOTSO\xe2\x80\x99s previous inventory system into HPAM so any PCMG items recorded in the prior\ninventory system should be in HPAM. Items uploaded directly into the HPAM system\nare formatted into files that Sunflower accesses to update its database.\n\nWe obtained data extracts from both Sunflower and HPAM. We identified three items in\nSunflower\xe2\x80\x99s data extract that matched items on the HPAM data extract. In addition, we\ncould not verify that the Sunflower data extract included the entire PCMG inventory.\n\nWe recommend that the Agency adhere to its own policies and procedures to account\nfor equipment acquired under the PCMG contract in a property management system.\n\nSSA MAY NOT HAVE COMPLIED WITH ITS SUITABILITY DETERMINATION\nPOLICIES AND PROCEDURES\n\nWe found nine individuals who received suitability determinations for other SSA\ncontracts who may have worked on the PCMG contract without PCMG or the COTR\nnotifying SSA\xe2\x80\x99s Center for Personnel Security and Project Management (CPSPM).\nPCMG informed SSA that these nine contractor personnel were available to assist in\nthe installation of the equipment purchased during the first 15 months of the contract.\nDuring this time, CPSPM found only one person suitable to work on this contract.\nHowever, we could not determine whether any of these nine had entered SSA buildings\nto work on the PCMG contract. The CO, COTR, and CPSPM did not receive any\nrequests from PCMG to obtain suitability determinations for these individuals to work on\nthis PCMG contract.\n\nAccording to the contract, 24 \xe2\x80\x9cThe Contractor must submit the completed forms for each\nemployee and replacement employee (including each subcontractor employee) who will\nbe performing under the contract to the Protective Security SPO [now CPSPM]. The\nGovernment will not permit Contractor personnel to perform under the contract until the\npre-screening process is complete.\xe2\x80\x9d\n\n\n\n23\n     The inventory did not have values for 160 of the 1,208 items.\n24\n     SSA contract SS00-07-31209, issued September 28, 2007, Section 14.0, page 38.\n\x0cPage 7 - The Commissioner\n\n\nIt is possible that one or more of these nine worked on the PCMG contract without\nseeking a new suitability letter. If this occurred, CPSPM did not have the opportunity to\ndetermine whether the previous suitability determination for these individuals was\nappropriate for the PCMG contract and issue new suitability letters for these individuals.\n\nIn a previous audit, 25 we identified instances where individuals received a suitability\ndetermination for one SSA contract then transferred to another SSA contract. We\nrecommended SSA ensure that all contractor personnel working on different contracts\nreceive the appropriate suitability determinations for each contract even if it means\nundergoing another suitability determination.\n\nWhen an entity has multiple contracts with the Agency and those contracts have\ndifferent risk levels, individuals assigned to one contract may not have had the proper\nbackground investigation to work under another contract. For example, some\ncontractor personnel may only need physical access to SSA facilities, and some\ncontractors may need both physical access and access to SSA\xe2\x80\x99s information systems.\nCPSPM personnel stated the COTR is responsible for obtaining a new suitability letter\nfrom CPSPM for every individual transferring from one contract to another.\n\nIn response to our previous reviews, SSA informed us that it had implemented a new\nsystem 26 to correct this issue. After the Contractor Enrollment Request Management\nSystem (CERMS) implementation, we were not aware of any suitable individuals who\ntransferred to the PCMG contract without obtaining an additional suitability letter.\nHowever, SSA staff agreed with us that CERMS was not designed to prevent or detect\ninstances where an individual found suitable to work on one contract then works on\nanother contract without obtaining an additional suitability determination. We reiterate\nour prior recommendation that SSA ensure that all contractor personnel working on\ndifferent SSA contracts receive the appropriate suitability determinations for each\ncontract. The contractor personnel in this situation must receive a suitability letter from\nCPSPM before working on any additional contracts.\n\nAfter our fieldwork ended, CPSPM staff informed us that the standard suitability contract\nclause would be updated so it would address our recommendation for this finding.\n\n\n\n\n25\n  SSA OIG, The Social Security Administration\xe2\x80\x99s Oversight of MDRC Contract No. SS00-06-60075\n(A-15-08-18010), December 22, 2008.\n26\n  SSA OIG, Status of Recommendations report for SSA OIG, The Social Security Administration\xe2\x80\x99s\nOversight of MDRC Contract No. SS00-06-60075 (A-15-08-18010), December 22, 2008. SSA developed\na new application, the CERMS to better manage its contractor personnel screening process.\n\x0cPage 8 - The Commissioner\n\n\nSSA DID NOT COMPLY WITH FISMA\xe2\x80\x99S REQUIREMENTS FOR AGENCIES TO\nPROVIDE CONTRACTORS WITH SECURITY AWARENESS TRAINING\n\nThe Office of Acquisition and Grant\xe2\x80\x99s (OAG) standardized security clauses27 used in the\nPCMG contract did not contain or reference FISMA security requirements. 28 Without\nthese clauses, SSA staff monitoring contract compliance did not know they needed to\nprovide PCMG contractors with security awareness training and to request the\ncontractors sign a Personnel Security Certification form. By not receiving training, the\ncontractors could inadvertently violate SSA\xe2\x80\x99s security, confidentiality, and ethics rules.\nMoreover, should any contractor\xe2\x80\x99s noncompliance result in the Agency bringing an\nadverse action, not having the signed certification form could allow that contractor to\nsuccessfully claim ignorance of the policy and the consequences for noncompliance.\n\nCongress enacted FISMA 29 in 2002 and each year, the Office of Management and\nBudget (OMB) issues FISMA reporting instructions 30 containing OMB\xe2\x80\x99s interpretations\nof the FISMA requirements. According to OMB, 31 contracts for IT acquisitions should\ncontain FISMA, OMB Circular A-130, and National Institute of Standards and\nTechnology requirements. In 2006, SSA stated 32 that these security awareness\nrequirements apply to contractors even if contractors never access electronic\ninformation systems as users. Moreover, in 2006, OMB stated 33 that contracts for IT\nservices must reflect FISMA requirements and agencies have had several years to\nmake these contract modifications. In particular, OMB stated 34 in 2007 that FISMA\nrequires that agencies provide contractors, with security awareness training and training\nabout the agency\xe2\x80\x99s policies and rules of behavior.\n\n\n\n27\n  Clause AS 2401, Protection of Confidential Information (section 12.0 on page 28 of Contract); Clause\nAS 2402, Contractor responsibilities Regarding Personally Identifiable Information (section 13.0 on\npage 30 of contract; and Clause AS 403, Security Requirements Clause (section 14.0 on page 36 of\ncontract).\n28\n OMB, Memorandum M-07-19, FY 2007 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, July 25, 2007.\n29\n  Federal Information Security Management Act of 2002, Pub. L. No. 107-347, 116 Stat. 2899, Title III\n(2002).\n30\n     See OMB Memoranda Web Page (http://www.whitehouse.gov/omb/memoranda_default).\n31\n OMB, Memorandum M-06-20, FY 2006 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, July 17, 2006.\n32\n     SSA, Information Systems Security Handbook, Appendix H, Security Training, November 15, 2006.\n33\n OMB, Memorandum M-06-20, FY 2006 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, July 17, 2006.\n34\n OMB, Memorandum M-07-19, FY 2007 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, July 25, 2007.\n\x0cPage 9 - The Commissioner\n\n\nIn March 2007, SSA issued 35 its Information Systems Security Handbook (ISSH) to\nmeet the FISMA requirement to establish an agency-wide information security program\nand the policies to support that program. SSA information security policy applies to all\nSSA employees and contractors.\n\nISSH, Appendix H, 36 addresses SSA\xe2\x80\x99s implementation of the FISMA security training\nrequirements. ISSH states 37 that all employees and contractors must receive a\nstandard level of security awareness training each year.\n\nISSH, Appendix B, 38 requires that all contractor personnel sign a Contractor Personnel\nSecurity Certification form. Should the contractors need access to Agency systems,\nthey must sign the form before accessing SSA\xe2\x80\x99s systems. The purpose of the form is to\ndocument that the contractors have certified they understand SSA\xe2\x80\x99s security,\nconfidentiality and ethics requirements and the penalties for noncompliance.\n\nISSH also has requirements for the CO, project officer, and security officers. 39 The CO\nmust ensure that all relevant security statements and contract clauses are included in all\nsolicitation and contract documents. The contract\xe2\x80\x99s COTR40 must ensure that all\ncontractor personnel sign the Personnel Security Certification and maintain the\ncompleted forms. In addition, the COTR and the security officers must inform contractor\npersonnel about their security responsibilities and make them aware of their\nresponsibilities for protecting sensitive information as specified in the contract.\n\nIn August 2007, OAG requested solicitations for bids on the PCMG contract. As stated\nabove, both OMB and SSA issued requirements that contractors must receive security\nawareness training. 41 In addition, SSA issued its policy requiring that its contractors\nsign a Personnel Security Certification form. 42 However, OAG did not update its\nstandard security clauses or create a new clause to include FISMA and Agency\nrequirements.\n\n\n35\n     SSA, Information Systems Security Handbook, Version 1.5, March 19, 2007.\n36\n     SSA, Information Systems Security Handbook, Appendix H, Security Training, November 15, 2006.\n37\n     Id.\n38\n  SSA, Information Systems Security Handbook, Appendix B, Roles and Responsibilities,\nNovember 15, 2006.\n39\n     Id.\n40\n  Department of Health and Human Services, Project Officer Handbook, Section V, Post-Award\nAdministration.\n41\n  OMB, Memorandum M-07-19, FY 2007 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, July 25, 2007 and SSA, Information Systems\nSecurity Handbook, Appendix H, Security Training, November 15, 2006.\n42\n     SSA, Information Systems Security Handbook, Appendix B, Roles and Responsibilities.\n\x0cPage 10 - The Commissioner\n\n\nWe contacted the CO and COTR to obtain copies of the Personnel Security Certification\nforms for the PCMG contractors. The CO and COTR stated they were not familiar with\nthe ISSH requirements regarding contractor security awareness training and the\nrequested certification forms. Because the CO and COTR were not aware of ISSH\nrequirements, they did not train the contractors, and the contractors did not sign the\ncertifications. In addition, the CO and COTR stated that the Chief Information Officer\nreviewed and approved the contract without the ISSH requirement.\n\nIn our FY 2011 FISMA report, 43 we stated the Agency required that its employees\ncomplete their FY 2011 annual security awareness training through an automated\ninteractive program. However, we found the Agency did not require that contractors\ncomplete annual security awareness training through this interactive program. The\nAgency plans to require contractors to use this automated program in FY 2012.\n\nWe recommended that SSA establish a timeframe for contractor personnel to complete\nsecurity awareness training. We reiterate this recommendation and also recommend\nthe Agency update the contract security clause to address contractors receiving security\nawareness training and signing Personnel Security Certification forms.\n\nCONCLUSION AND RECOMMENDATIONS\nWe found that SSA received the contracted goods and services and was generally\nsatisfied with PCMG\xe2\x80\x99s work. In addition, the related costs PCMG charged to SSA\ngenerally adhered to the negotiated contract terms and applicable contract terms.\nNothing came to our attention to indicate that SSA did not comply with applicable\nregulations.\n\nWe also found that SSA implemented controls and practices to help ensure PCMG\nadhered to the contract terms. We identified four areas where the Agency could\nimprove its administrative oversight and monitoring of the contract. Although these\nconditions did not materially affect SSA\xe2\x80\x99s ability to properly manage and oversee the\nPCMG contract, we are bringing these conditions to your attention in hopes that this\ninformation will improve your contract management and oversight processes. We\nrecommend SSA:\n\n1. Correct accounting codes for the items that should have been capitalized and\n   develop controls to prevent similar errors in the future.\n\n2. Adhere to its own policies and procedures to account for equipment acquired under\n   the PCMG contract in a property management system.\n\n3. Ensure contractor personnel working on SSA contracts receive the appropriate\n   suitability determinations for each contract.\n\n\n43\n  SSA OIG, Fiscal Year 2011 Evaluation of the Social Security Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act of 2002 (A-14-11-01134), November 14, 2011.\n\x0cPage 11 - The Commissioner\n\n\n4. Establish a timeframe for contractor personnel to complete security awareness\n   training and update the contract security clause to address contractors receiving\n   security awareness training and signing Personnel Security Certification forms.\n\nAGENCY COMMENTS\nThe Agency agreed with our recommendations. See Appendix D for the full text of the\nAgency\xe2\x80\x99s comments.\n\nOIG RESPONSE\nWe applaud the Agency for taking quick action to address our recommendations.\nHowever, in reference to Recommendation 2, the Agency stated, \xe2\x80\x9cAs of March 9, 2012,\nall hardware at the National Computer Center has been asset tagged. Since its\ninception, we properly tagged all assets at the Second Support Center. We consider\nthis recommendation closed for tracking purposes.\xe2\x80\x9d We do not agree that SSA's action\nfully resolves our concerns. Until these assets are both tagged and recorded in a\nproperty management system, this recommendation should remain open.\n\n\n\n\n                                        Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Sampling and Methodology\nAPPENDIX D \xe2\x80\x93 Agency Comments\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                               Appendix A\n\nAcronyms\nAIMS          Administrative Instructions Manual System\nCERMS         Contractor Enrollment Request Management System\nC.F.R.        Code of Federal Regulations\nCO            Contracting Officer\nCOTR          Contracting Officer\xe2\x80\x99s Technical Representative\nCPSPM         Center for Personnel Security and Project Management\nDDS           Disability Determination Services\nFISMA         Federal Information Security Management Act\nFY            Fiscal Year\nGL            General Ledger\nHPAM          Hewlett Packard Asset Management\nISSH          Information Systems Security Handbook\nIT            Information Technology\nMRM           Material Resource Manual\nOAG           Office of Acquisition and Grants\nOF            Office of Finance\nOMB           Office of Management and Budget\nOIG           Office of the Inspector General\nOTSO          Office of Telecommunications and Systems Operations\nPCMG          PC Mall Government, Inc.\nPSC           Program Service Center\nPub. L. No.   Public Law Number\nSSA           Social Security Administration\nSSASy         SSA's Streamlined Acquisition System\nSOC           Subobject Classification Code\nU.S.C.        United States Code\n\x0c                                                                      Appendix B\n\nScope and Methodology\nTo accomplish our audit objectives, we:\n\n1. Obtained and reviewed the Social Security Administration\xe2\x80\x99s (SSA) contract with\n   PC Mall Government, Incorporated (PCMG), Contract No. SS00-07-31209, and the\n   42 contract modifications issued as of September 30, 2011.\n\n2. Selected and tested a sample of 11 invoices related to the contract (Modification 00),\n   and 7 of 36 contract modifications issued as of December 31, 2010. See sampling\n   methodology in Appendix C.\n\n3. Selected for review all PCMG employees and tested their associated suitability\n   forms, security access, and security awareness training records.\n\n4. Reviewed the applicable Federal laws, regulations, and guidance.\n\n5. Contacted or interviewed key SSA management and staff in SSA\xe2\x80\x99s Offices of\n   Budget, Finance and Management; Human Resources; and Systems. In particular\n   we contacted and interviewed those who executed and managed the contract,\n   including SSA\xe2\x80\x99s\n\n      o contracting officer;\n      o Offices of Budget, Finance, and Management; Financial Policy and\n        Operations; and Finance and\n      o Contracting Officer\xe2\x80\x99s Technical Representative.\n\nIn addition to the contract-level review, we tested a portion of the contract to determine\nhow well SSA executed and managed the contract in cost verification, timeliness,\nsecurity and accountability. Our testing focused on reviewing all 29 invoices paid for the\norders shown on 8 modifications selected for our review (see Appendix C).\n\nWe determined the computer-processed data were sufficiently reliable for our intended\nuse. We conducted tests to determine the completeness and accuracy of the data,\nwhich allowed us to assess the reliability of the data and achieve our audit objectives.\n\n\n\n\n                                           B-1\n\x0cWe performed our fieldwork at six SSA program service center locations, 1 one State\ndisability determination services location, 2 SSA\xe2\x80\x99s data centers, 3 and SSA Headquarters4\nbetween April 2010 and December 2011. The principal entities audited were SSA\xe2\x80\x99s\nOffices of Acquisitions and Grants; Financial Policy and Operations; and\nTelecommunications and Systems Operations.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives.\n\n\n\n\n1\n  We visited the Northeastern Program Service Center (PSC) in Jamaica, New York; the Mid-Atlantic PSC\nin Philadelphia, Pennsylvania; the Southeastern PSC in Birmingham, Alabama; the Great Lakes PSC in\nChicago, Illinois; the Mid-America PSC in Kansas City, Missouri; and the Western PSC in Richmond,\nCalifornia.\n2\n    We visited the North Carolina Disability Determination Services in Raleigh, North Carolina.\n3\n The two SSA data centers we visited are the National Computer Center in Woodlawn, Maryland; and the\nSecond Support Center in Durham, North Carolina.\n4\n    The SSA Headquarters complex is in Woodlawn, Maryland.\n\n\n                                                      B-2\n\x0c                                                                                   Appendix C\n\nSampling Methodology\nThe Social Security Administration (SSA) obtained equipment, software and related\nservices through its contract with PC Mall Government, Incorporated (PCMG), by\nissuing (1) task orders from the base contract and (2) contract modifications. During the\nfirst 3 years of the 5-year contract, SSA issued task orders from the base contract and\n36 modifications totaling approximately $68.7 million. We selected our sample items as\nfollows.\n\n    \xe2\x80\xa2   We reviewed the 10 invoices with the highest dollar value from a population of\n        119 invoices paid during the 3-year period. These 10 invoices represented\n        purchases primarily for SSA\xe2\x80\x99s 2 data centers totaling $32 million, which\n        represents about 46.6 percent of the $68.7 million spent.\n        Each of these 10 invoices had varying numbers of line items. We reviewed a\n        minimum of 1, and maximum of 12, line items per invoice, for a total of 87 line\n        items. We selected 179 items 1 from the 87 line items for physical inventory\n        testing.\n\nWe selected 1 additional invoice for review, for $1.2 million that contained SSA\xe2\x80\x99s\npurchases for its 6 program service centers (PSC) and 7 of the 54 disability\ndetermination services (DDS). We selected 29 items from the 9 line items for physical\ninventory testing. We visited the North Carolina DDS site and all six PSCs to perform\nthe physical inventory testing.\n\n    \xe2\x80\xa2   After selecting the samples, we attempted to match the sample items to a serial\n        number list provided by the Agency. However, not all the equipment or products\n        sampled had serial numbers. Some of the items ordered were subcomponents\n        for larger machines or moving parts that did not have observable serial numbers.\n        In addition, SSA had traded-in 14 items we selected for review. Consequently,\n        we only tested 72 items that had observable serial numbers at the 2 data\n        centers, the 6 PSCs, and 1 DDS. We observed all 72 items. These 72 items\n        accounted for approximately $7.4 million in purchases.\n    \xe2\x80\xa2   For the review of contract deliverables and invoices, we found that the contractor\n        issued 28 invoices to obtain payment for the 8 modifications used in the physical\n        inventory testing. We compared the quantity and unit prices from the invoices to\n        the quantity and unit prices of goods ordered. Nothing came to our attention to\n        indicate SSA paid more than the contract price for any item, paid for items not\n        ordered, or paid for items not received.\n\n\n1\n  The items selected were primarily for equipment, but included software, installation fees, maintenance\nfees, tape media and credits.\n\x0c                  Appendix D\n\nAgency Comments\n\x0c                                               Social Security\nMEMORANDUM\n\n\nDate:      July 9, 2012                                                            Refer To:   S1J-3\n\nTo:        Patrick P. O\xe2\x80\x99Carroll, Jr.\n           Inspector General\n\nFrom:      Dean S. Landis /s/\n           Deputy Chief of Staff\n\nSubject:   Office of the Inspector General Draft Report, \xe2\x80\x9cThe Social Security Administration\xe2\x80\x99s PC Mall\n           Gov, Incorporated, Contract\xe2\x80\x9d (A-14-11-01133)\xe2\x80\x94INFORMATION\n\n           Thank you for the opportunity to review the draft report. Please see our attached comments.\n\n           Please let me know if we can be of further assistance. You may direct staff inquiries to\n           Amy Thompson at (410) 966-0569.\n\n           Attachment\n\n\n\n\n                                                          D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n\xe2\x80\x9cTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S PC MALL GOV, INCORPORATED,\nCONTRACT\xe2\x80\x9d (A-14-11-01133)\n\n\nRecommendation 1\n\nCorrect accounting codes for the items that should have been capitalized and develop controls to\nprevent similar errors in the future.\n\nResponse\n\nWe agree. As stated on page 4 of this report, we have corrected the accounting codes and\ninstituted controls to prevent similar errors in the future. We consider this recommendation\nclosed for tracking purposes.\n\nRecommendation 2\n\nAdhere to its own policies and procedures to account for equipment acquired under the PC Mall\nGov, Incorporated contract in a property management system.\n\nResponse\n\nWe agree. As of March 9, 2012, all hardware at the National Computer Center has been asset\ntagged. Since its inception, we properly tagged all assets at the Second Support Center. We\nconsider this recommendation closed for tracking purposes.\n\nRecommendation 3\n\nEnsure contractor personnel working on Social Security Administration contracts receive the\nappropriate suitability determinations for each contract.\n\nResponse\n\nWe agree. We are in the process of updating the standard suitability contract clause to address\nthis finding.\n\nRecommendation 4\n\nEstablish a timeframe for contractor personnel to complete security awareness training and\nupdate the contract security clause to address contractors receiving security awareness training\nand signing Personnel Security Certification forms.\n\n\n\n\n                                               D-2\n\x0cResponse\n\nWe agree. In 2008 we established a standardized contract clause, AS 402, to require contractors\nto complete an annual security certification to serve as security awareness training. By\nimplementing this standardized clause, we also established a timeframe for contractor personnel\nto complete the security awareness training and sign the security certification forms. The\ncontractor\xe2\x80\x99s employees must complete the form annually and the contractor must notify the\nOffice of Information Security (OIS) and the appropriate Contracting Officer when they meet\nthis requirement. We requested PC Mall Gov to have its employees complete this certification\n(attached). However, since this contract pre-dates the implementation of AS 402 and the\ncontract has not been amended, we could not require PC Mall Gov employees or sub-contractors\nto complete this certification.\n\nOIS is responsible for coordinating our FISMA security activities and follows the annual\nreporting instructions provided by the Office of Management and Budget (OMB). In 2011,\nOMB issued memo M-11-33, FY 2011 Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management, which provided additional context\nfor contractor awareness training. In response, we are transitioning to an automated annual\nsecurity training capability for those contractors with systems access. We are re-examining the\ntraining requirements of FISMA and our policy now requires that we have an automated training\ncapability for those with systems access in response to the revised FISMA Reporting Instructions\nreceived in 2011. We will update our security awareness training requirements in the ISSH and\ncontract clauses as appropriate.\n\n\n\n\n                                              D-3\n\x0cD-4\n\x0cD-5\n\x0c                                                                         Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Brian Karpe, Director, Information Technology Audit Division\n   Mary Ellen Moyer, Audit Manager\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Alan Lang, Senior Auditor\n\nFor additional copies of this report, please visit our Website at http://oig.ssa.gov/ or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Staff at (410) 965-4518.\nRefer to Common Identification Number A-14-11-01133.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c"